After a multiyear development process NIST has released ‘Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations’ which updates previous guidance in this area.
The new guidance ‘offers key practices for organizations to adopt as they develop their capability to manage cybersecurity risks within and across their supply chains. It encourages organizations to consider the vulnerabilities not only of a finished product they are considering using, but also of its components - which may have been developed elsewhere - and the journey those components took to reach their destination’.
The primary audience for the publication is acquirers and end users of products, software and services. The guidance helps organizations build cyber security supply chain risk considerations and requirements into their acquisition processes and highlights the importance of monitoring for risks.
Organizations are concerned about the risks associated with products and services that may potentially contain malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the supply chain. These risks are associated with an enterprise’s decreased visibility into and understanding of how the technology they acquire is developed, integrated, and deployed or the processes, procedures, standards, and practices used to ensure the security, resilience, reliability, safety, integrity, and quality of the products and services. This publication provides guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations. The publication integrates cybersecurity supply chain risk management (C-SCRM) into risk management activities by applying a multilevel, C-SCRM-specific approach, including guidance on the development of C-SCRM strategy implementation plans, C-SCRM policies, C-SCRM plans, and risk assessments for products and services.
Read the document (PDF).